| Re: channel binding | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Wed, 31 Aug 2005 10:45:45 -0400 (EDT) | |
Charles Clancy wrote:
--Jari
On Tue, 30 Aug 2005, Salowey, Joe wrote:
Regarding carrying a MAC of a blob instead of a blob itself, I think we need more analysis. If a blob is mixture of confidential and non-confidential parameters, can't the non-confidential parameters and the MAC becomes a hint to find out the confidential ones?
[Joe] Maybe, I don't think that a MAC necessarily has the properties of a pseudo-random function so some information may leak into the MAC value. I'm not sure how close to a PRF something like HMAC is.
Originally, I meant that you would send both the channel binding blob, and also a keyed MAC of the blob. Would sending *just* the MAC also work? I guess both sides would have to know the channel parameters in order to verify them...
Yes, I think this is the distinction between Joe's class 1 and 2. Class 2 appears easier to deploy and debug, while class 1 may have some security advantages (like avoiding disclosure of private information) and is simpler.
The fact that the MAC is keyed prevents determination of confidential parameters. From a cryptographic standpoint, a random oracle/PRF isn't needed here, so HMAC or CBC-MAC should be sufficient.
--Jari
- RE: channel binding, (continued)
-
RE: channel binding Salowey, Joe, August 29 2005
- Re: channel binding Jari Arkko, August 29 2005
-
RE: channel binding Salowey, Joe, August 30 2005
-
RE: channel binding Charles Clancy, August 31 2005
- Re: channel binding Jari Arkko, August 31 2005
- Re: channel binding Yoshihiro Ohba, August 31 2005
-
RE: channel binding Charles Clancy, August 31 2005
-
RE: channel binding Salowey, Joe, August 29 2005
-
RE: channel binding Salowey, Joe, August 31 2005
- Re: channel binding Yoshihiro Ohba, August 31 2005
- RE: channel binding Salowey, Joe, August 31 2005
Results generated by Tiger Technologies using MHonArc.